Create a network security group using the Azure portal

You can use an NSG to control traffic to one or more virtual machines (VMs), role instances, network adapters (NICs), or subnets in your virtual network. An NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port. The rules of an NSG can be changed at any time, and changes are applied to all associated instances.

In this scenario, you create an NSG for each subnet in the IBIKZVnet10 virtual network, as follows:

Create the IBIKZ-NSG (NSG)

To create the IBIKIZ-NSG NSG as shown in the scenario, complete the following steps:

Create rules in an existing NSG

To create rules in an existing NSG from the Azure portal, complete the following steps:

1. Select All Services, then search for Network security groups. When Network security groups appear, select it.
2. In the list of NSGs, select IBIKIZ-NSG > Inbound security rules
3. In the list of Inbound security rules, select Add.

4.Under Add inbound security rule, create a rule named web-rule with the priority of 200 allowing access via TCP to port 80 to any VM from any source, and then select OK. Notice that most of these settings are default values already.

5, After a few seconds, you see the new rule in the NSG.

Associate the NSG to the IBIKZVnet10 subnet

1. Select All services >, enter Resource groups, select Resource groups when it appears, then select RG-NSG.
2. Under RG-NSG, select ... > IBIKZVnet10

3,Under Settings, select Subnets > FrontEnd > Network security group > IBIKZ-NSG.

4, In the FrontEnd blade, select Save.

Connect Two Azure Resource Manager Virtual Networks Using VNet Peering

In this post I will show you how to link two virtual networks using VNet Peering, a new feature in Microsoft Azure.

What Is VNet Peering?

VNet Peering is the easiest and best-performing way to connect two virtual networks (VNets). The alternative, VNet-to-VNet VPN, requires that you deploy gateways in each of the connected VNets. Then you must create a VNet tunnel between the two VNets. Because you must use a gateway, the VPN option limits network speeds between the VNets to the bandwidth capabilities of the gateway — 80 Mbps in the case of a Basic gateway (not 100 Mbps as often documented).

 VNet peering links VNets using the underlying software-defined network, tunnelling packets across the physical data centre networks using NVGRE. This means that you don’t need a gateway and that two virtual machines in different VNets can communicate at the speed of their NICs (that’s going to be around 25 Gbps for some machines once a current hardware offload preview goes generally available).

Limitations of VNet Peering

My approach to linking VNets is that I always want to use VNet Peering, but there are times that I must fall back to using VNet-to-VNet VPN. Here are some of the requirements and limitations of VNet Peering:

• VNets in different regions: VNet Peering requires that both VNets must be in the same Azure region.
• Network addresses: The IP address spaces of both VNets must not overlap.
• No A-B-C links: There is no implied transitive linking of VNets. If you link VNet A to VNet B, and VNet B to VNet C, there is no implied routing from VNet A to VNet C. This would require the use of network virtualization appliances to act as routers, or that you peer VNet A with VNet C.
• Across-subscriptions: You can link two VNets that are in different Azure subscriptions. This can be useful in situations in which a single organisation has multiple Azure subscriptions for budgetary or logistical reasons. Note that the VNets must still be in the same Azure region and that the user must have administrative rights in both subscriptions.
• ASM and ARM: You can link a classic or Azure Service Management (ASM) VNet with an Azure Resource Manager (ARM) VNet, as long as they are in the same subscription.
• No ASM-ASM links: You cannot peer a classic/ASM VNet with another classic/ASM VNet.
• Charges: There is a microdata transfer charge for traffic that passes between VNets using VNet Peering.

Implementing VNet Peering

     Two Azure virtual networks in the same region 

A peering must be created from each VNet to link it to the other VNet so you will create two connections:

1. Open the settings of a virtual network and browse into Peerings.
2. Click Add.
3. Give the peering connection a name; I try to use the names of the two VNets with the first one being the origin.
4. You have two ways that you can select the other (remote) VNet. If you know the resource ID of the other VNet, you can paste the resource ID of the other VNet in after checking the box for I Know My Resource ID. You can select a subscription that you have administrative access to, and select a VNet from that subscription.

Create the first VNet peering connection

Create the second VNet peering connection

You should see the peering status of the two VNets switch to Connected after a few minutes. Now virtual machines on each VNet can talk at NIC speeds to virtual machines on the other VNet.

If virtual machines are failing to route with each other then check your network security groups to ensure that the traffic is allowed to and from the required virtual NICs/subnets.

Advanced Configuration

There are four options to note. The first of these disables the VNet peering (and cross-VNet communications) until you are ready to enable it. The other options, used for complex hub/spoke architectures, are as follows:

• Allow Forwarded Traffic: Allow traffic from a location other than the remote VNet to transit the peering into this VNet.
• Allow Gateway Transit: All traffic from a VPN/ExpressRoute gateway into this VNet.
• Use Remote Gateways: Allow virtual machines on this VNet to route via a VPN/ExpressRoute gateway in the other VNet.

Tagged with Azure, Connection, Peering, Routing, Virtual Network, VNet Peering

Create a Windows virtual machine in the Azure portal

Azure virtual machines (VMs) can be created through the Azure portal. This method provides a browser-based user interface to create VMs and their associated resources. This quickstart shows you how to use the Azure portal to deploy a virtual machine (VM) in Azure that runs Windows Server 2016. To see your VM in action, you then RDP to the VM and install the IIS web server.

Create virtual machine

Choose Create a resource in the upper left-hand corner of the Azure portal.

In the search box above the list of Azure Marketplace resources, search for and select Windows Server 2016 Datacenter, then choose Create.

 

Provide a VM name, such as myVM, leave the disk type as SSD, then provide a username, such as azureuser. The password must be at least 12 characters long and meet the defined complexity requirements.Choose to Create new resource group, then provide a name, such as myResourceGroup. Choose your desired Location, then select OK

 Select a size for the VM. You can filter by Compute type or Disk type, for example. A suggested VM size is D2s_v3 

 

 

Under Settings, leave the defaults and select OK.

On the summary page, select Create to start the VM deployment.

The VM is pinned to the Azure portal dashboard. Once the deployment has completed, the VM summary automatically opens.

1. Connect to virtual machine

   Create a remote desktop connection to the virtual machine. These directions tell you how to connect to your VM from a Windows computer. On a Mac, you need an RDP client such as this Remote Desktop Client from the Mac App Store.

   1. Click the Connect button on the virtual machine properties page.

    

   

   
   
   In the Connect to virtual machine page, keep the default options to connect by DNS name over port 3389 and click Download RDP file.
   Open the downloaded RDP file and click Connect when prompted.
   In the Windows Security window, select More choices and then Use a different account. Type the username as vmnam*username, enter password you created for the for the virtual machine, and then click **OK*.
   You may receive a certificate warning during the sign-in process. Click Yes or Continue to proceed with the connection.
   
   

Step-By-Step: Configuring a site-to-site VPN Gateway between Azure and On-Premise

---

Using site-to-site VPN gateway can provide better continuity for your workloads in hybrid cloud setup with Azure. This post will demonstrate how to set up site-to-site VPN Gateway to enable this.

The process involves the following steps:

1. Create a VNet
2. Add a gateway subnet
3. Assign a public IP address
4. Add a virtual network gateway
5. Create a connection object that connects the two virtual network gateways

Requirements 

Before starting to make sure you have following in place.

1) VPN device: A VPN device is needed on-premise to create the VPN connection with Azure. 

2) Static Public IP address: The VPN device should have an external public IP address and it shouldn't be NAT.

3) Valid Azure Subscription

 Create Virtual Network 

If you already have a virtual network setup in your Azure subscription, you will not need to do this step but make sure the settings are correct.

1) Log in to the Azure portal.

2) Go to New > Networking > Virtual Network 

3) Then click on create

4) In next page, it will open up the wizard with the VNet information. In their fill the information to match with your configuration.

Name: Name for the VNet

Address Space: IP range for the VNet. If you have multiple Address ranges, it can add later

Subnet name: Name for the subnet you like to add

Subnet Address range: Subnet IP range (it must be within the Address Space listed before)

Resource Group: Can create a new group or select existing group

Location: location of the VNet

After that click on create to continue

5) Once VNet created, can modify the address ranges and subnets

Create Gateway Subnet 

Next step is to create gateway subnet for the VNet. It is recommended to use /28 or /27 for gateway subnet. This need to be done before connecting VNet to the gateway.

1) Log in to the Azure Portal

2) Then go to More Services > Virtual Networks

3) Then click on the VNet, created on the previous step and click on subnets. Then click on gateway subnet 

4) In the next window define the subnet for the gateway and click OK

Create Virtual Network Gateway

Next step is to create virtual network gateway.

1) Log in to azure portal

2) Go to New > Networking > Virtual Network Gateway 

3) In next window fill the relevant information and click on Create

Name:  Name for the virtual network gateway

Gateway Type:  For our VPN it will be VPN

VPN Type:  Type of the VPN and regular VPN will be route-based

SKU: SKU for the VPN type

Virtual Network: Select the VNet you have created following the previous step

Public IP Address: VPN needs to have a public IP address. Select public IP from here or if you don't have, once you click on the option it will allow you to add a new one

Location: Select the correct region to match with VNet region

4) It can take up to 45 minutes to complete the task. Once it's done can see the public IP address details. You need this to configure the VPN device in your on-premises device

Create Local Network Gateway

The next step is to create local gateway which represents your local network. To create it,

1) Log in to azure portal

2) Go to New > Networking > Local network gateway

3) Then it will open new wizard and fill the relevant information. After that click on create to proceed

Name: Name for the local gateway

IP Address: Public IP address to represent your VPN device. It should not behind NAT

Address Space: This is yours on premises address ranges. You can add multiple ranges.

Resource Group: Create new resource group or use the same one you were using

Create Site-to-Site VPN

The next step is to create Site-to-Site VPN connection between your VPN device and the virtual network gateway. To create it,

1) Log in to azure portal

2) Go to More Services > Virtual network gateways 

3) Then click on the virtual network gateway you created and, under the settings tab, click on the connection & Then click on add

4) In the wizard fill the relevant information and click ok.

Name: Name of the connection

Connection Type: Type of the VPN. Most of the time its site-to-site

Virtual Network Gateway: Select the relevant virtual network gateway

Local Network Gateway: Select the relevant local network gateway for your connection

Shared Key: This is the pre-shared key you going to use for the VPN configuration

6) Once created its all about configuring the VPN in your VPN device

7) Once connected you can see the status on the same page by clicking on the connection